I have set up a Server Action to list all the users in my database and I am populating a dropdown with the data. It works insofar as I get a list of all the users.
What I am having trouble with is restricting access to just my ‘Super Admin’ user group. I am using a two table system - one for users and one for groups. A user can be in multiple groups. Regardless of what I set in the “Restrict Properties, permission” box I can always get the list of users if I am logged in.
This is my setup for the Security Restrict:
This is my setup for my permissions:
It is my understanding that this set up should produce the following MySQL query for a user with the identity of 10:
SELECT * FROM users JOIN tbl_group_members ON users.id = tbl_group_members.user_id WHERE user_id = 10 AND group_id = 1
In my database this returns no records (user 10 is not a Super Admin) - my assumption was that this would cause the query to not be run or returned. However I still get a full response of all the records I asked for.
I have tried multiple combinations of users in the group, not in the group, user not in the groups table or user table etc and they all return all the records requested as if user 10 is a Super Admin. The only time that does not happen is when I am logged out.
Any thoughts any one about what I am missing here?